DSA-2022-271: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities
Summary: Dell PowerScale remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-23089 | Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23091 | Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-33934 | Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields. | 7.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-34438 | Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34439 | Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-34444 | Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34445 | Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| CVE-2022-34454 | Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
| Third-party Component | CVEs | CVSS Vector String |
| Cyrus SASL | CVE-2022-24407 | See NVD  for individual scores for each CVE. |
| CVE-2019-19906 | ||
| CVE-2013-4122 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-23089 | Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI_PRIV_LOGIN_SSH or ISI_PRIV_LOGIN_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation. | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-23091 | Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage. | 6.7 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CVE-2022-33934 | Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields. | 7.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
| CVE-2022-34438 | Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| CVE-2022-34439 | Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVE-2022-34444 | Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak. | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVE-2022-34445 | Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure. | 6.0 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| CVE-2022-34454 | Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters. | 6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Note: CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.
| Third-party Component | CVEs | CVSS Vector String |
| Cyrus SASL | CVE-2022-24407 | See NVD for individual scores for each CVE. |
| CVE-2019-19906 | ||
| CVE-2013-4122 |
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-23089 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.4.0.0 through 9.4.0.6 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.4.0.7 |
PowerScale OneFS Downloads Area |
| 9.3.0.0 through 9.3.0.9 | RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-23091 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.4.0.0 through 9.4.0.6 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.4.0.7 |
|
| 9.3.0.0 through 9.3.0.9 | RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-24407 CVE-2019-19906 CVE-2013-4122 |
PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other Version | See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates | |||
| CVE-2022-33934 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.4 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.3.0.9 > = 9.4.0.5 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34438 | PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other version | See DSA: DSA-2022-245 | |||
| CVE-2022-34439 | PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other version | See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates | |||
| CVE-2022-34444 | PowerScale OneFS | 9.2.1.0 through 9.2.1.16 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.2.1.17 > = 9.3.0.9 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34445 | PowerScale OneFS | 9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.4 |
Download and install the latest RUP. > = 9.1.0.21 > = 9.2.1.14 > = 9.3.0.9 > = 9.4.0.5 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34454 | PowerScale OneFS | 9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.7 |
Download and install the latest RUP. > = 9.1.0.21 > = 9.2.1.14 > = 9.3.0.9 |
|
| Any other version | Upgrade your version of PowerScale OneFS. |
| CVEs Addressed | Product | Affected Versions | Updated Versions | Link to Update |
| CVE-2022-23089 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.4.0.0 through 9.4.0.6 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.4.0.7 |
PowerScale OneFS Downloads Area |
| 9.3.0.0 through 9.3.0.9 | RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to = 9.4.0.7. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-23091 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.4.0.0 through 9.4.0.6 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.4.0.7 |
|
| 9.3.0.0 through 9.3.0.9 | RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7. | |||
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-24407 CVE-2019-19906 CVE-2013-4122 |
PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other Version | See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates | |||
| CVE-2022-33934 | PowerScale OneFS | 9.1.0.0 through 9.1.0.23 9.2.1.0 through 9.2.1.16 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.4 |
Download and install the latest RUP. > = 9.1.0.24 > = 9.2.1.17 > = 9.3.0.9 > = 9.4.0.5 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34438 | PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other version | See DSA: DSA-2022-245 | |||
| CVE-2022-34439 | PowerScale OneFS | 9.3.0.0 through 9.3.0.7 | Download and install the latest RUP. > = 9.3.0.9 |
|
| Any other version | See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates | |||
| CVE-2022-34444 | PowerScale OneFS | 9.2.1.0 through 9.2.1.16 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.5 |
Download and install the latest RUP. > = 9.2.1.17 > = 9.3.0.9 > = 9.4.0.6 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34445 | PowerScale OneFS | 9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.7 9.4.0.0 through 9.4.0.4 |
Download and install the latest RUP. > = 9.1.0.21 > = 9.2.1.14 > = 9.3.0.9 > = 9.4.0.5 |
|
| Any other version | Upgrade your version of PowerScale OneFS. | |||
| CVE-2022-34454 | PowerScale OneFS | 9.1.0.0 through 9.1.0.20 9.2.1.0 through 9.2.1.13 9.3.0.0 through 9.3.0.7 |
Download and install the latest RUP. > = 9.1.0.21 > = 9.2.1.14 > = 9.3.0.9 |
|
| Any other version | Upgrade your version of PowerScale OneFS. |
Revision History
| Revision | Date | Description |
| 1.0 | 2022-11-21 | Initial Release |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFS, Product Security InformationArticle Properties
Article Number: 000205618
Article Type: Dell Security Advisory
Last Modified: 13 Feb 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.